CVE-2023-46242: XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token
9.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.86584%
CWE
Published
11/7/2023
Updated
11/14/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-oldcore | maven | >= 1.0, < 14.10.7 | 14.10.7 |
| org.xwiki.platform:xwiki-platform-oldcore | maven | >= 15.0, < 15.2-rc-1 | 15.2-rc-1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing CSRF protection in the edit action's document preparation logic. The patched commit shows the vulnerable code path in prepareEditedDocument() handled document modifications without checking the CSRF token. This function is directly responsible for processing user-submitted content changes, and its pre-patch version failed to validate() request authenticity, making it the entry point for CSRF-based privilege escalation and code injection attacks. The addition of CSRFToken validation in this method in the fix confirms its critical role in the vulnerability.